Enum PriceResult 

pub enum PriceResult {
    Ok(PriceData),
    Err(u32),
}

Result type for lastprice() that allows auto-halt to commit even on guardrail violations.

Why a custom enum instead of Result<PriceData, OracleSafetyViolation>?

Soroban contract methods that return Result::Err cause all storage writes in the same invocation to roll back, including writes inside open_circuit_breaker(). The original Phase 5.2 design hit this and was reverted (commit e98ed48). By returning Ok(PriceResult::Err(...)) from the contract method, the breaker write commits while still conveying the violation to the caller.

Why Err(u32) and not Err(OracleSafetyViolation)?

OracleSafetyViolation is a #[contracterror] type. soroban-sdk 25.x has two distinct constraints that block embedding it inside the #[contracttype] enum below — both empirically verified, the second not surfaced until Hardening 6C’s PoC:

1. SorobanArbitrary bound (Pre-5.4 finding). Under the test feature soroban-sdk derives an Arbitrary prototype for every #[contracttype]. The derive recursively requires every variant’s payload to implement SorobanArbitrary, which #[contracterror] types do not — build fails with “trait bound OracleSafetyViolation: SorobanArbitrary is not satisfied.” Manual SorobanArbitrary impl on the error type is conceptually possible (the trait is pub, three trait bounds to satisfy).

2. ScVec: TryFrom<(ScSymbol, &OracleSafetyViolation)> bound (Hardening 6C finding, deferred). Independent of the Arbitrary derive, the #[contracttype] macro’s XDR encoding expects each variant payload to be convertible into the tuple shape (ScSymbol, &T) ⟶ ScVec. #[contracterror] types implement IntoVal<Env, Val> but not this specific tuple-to-XDR path. A manual impl is blocked by Rust’s orphan rule — both ScVec and (ScSymbol, &T) are foreign, so neither side of the TryFrom can host the impl from this crate. Closing this would require either (a) a soroban-sdk change exposing the conversion or (b) reshaping OracleSafetyViolation away from #[contracterror] (which would lose the stable u32 discriminants that integrators consume).

Carrying the violation as its u32 discriminant sidesteps both constraints. The values here MUST stay aligned with OracleSafetyViolation = 1..=10. The into_result() shim re-hydrates the typed variant for callers that want it. Hardening Phase debt #17 remains deferred for future SDK releases that resolve constraint (2).

Migration from the Phase 1-4 Result<PriceData, OracleSafetyViolation>

Callers that used ? continue to do so via the into_result() shim:

// Before (Phase 1-4):
let price = safe_oracle::lastprice(&env, &asset, ...)?;

// After (Phase 5.2 v2):
let price = safe_oracle::lastprice(&env, &asset, ...).into_result()?;

From<Result<PriceData, OracleSafetyViolation>> is also implemented so internal helpers that produce Result (e.g., lastprice_inner) convert at the API boundary without per-callsite match plumbing.

Audit notes

• PriceResult::Err(d) is semantically identical to a guardrail failure. A lending protocol MUST NOT proceed with PriceResult::Err the same way it would not proceed with Err in Phase 1-4.
• The Ok wrapping at the Soroban boundary is a storage-commit mechanism only; the public-facing semantics (“violation = no price”) are unchanged.
• Tuple variants (not named-field) match the soroban-sdk 25.x #[contracttype] enum constraint observed in Phase 5.1.

Spec

See spec §4 — Function Signature and Stub Contract. PriceResult preserves the spec’s lastprice → Ok(price) | Err(violation) semantic at the public API level (via PriceResult::into_result) while letting auto-halt writes inside lastprice commit at the Soroban boundary.

Variants

Ok(PriceData)

Validated price data, all guardrails passed.

Err(u32)

Guardrail violation; price MUST NOT be used. The u32 is the OracleSafetyViolation discriminant (1..=10); see into_result() for the typed re-hydration.

Implementations

impl PriceResult

pub const fn spec_xdr() -> [u8; 1320]

impl PriceResult

pub fn is_ok(&self) -> bool

Returns true if the result is Ok.

pub fn is_err(&self) -> bool

Returns true if the result is Err.

pub fn into_result(self) -> Result<PriceData, OracleSafetyViolation>

Convert to standard Rust Result for ergonomic ? operator usage.

Recommended migration path for Phase 1-4 callers: replace lastprice(...)? with lastprice(...).into_result()?.

Re-hydrates the u32 discriminant into the typed OracleSafetyViolation. Unknown discriminants panic — they cannot occur on a result produced by lastprice(), which only emits values from the canonical 1..=10 range, but the explicit panic guards against forged values reaching the shim.

Trait Implementations

impl Clone for PriceResult

fn clone(&self) -> PriceResult

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for PriceResult

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl From<Result<PriceData, OracleSafetyViolation>> for PriceResult

fn from(r: Result<PriceData, OracleSafetyViolation>) -> Self

Converts to this type from the input type.

impl PartialEq for PriceResult

fn eq(&self, other: &PriceResult) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl TryFromVal<Env, &PriceResult> for Val

type Error = ConversionError

fn try_from_val(env: &Env, val: &&PriceResult) -> Result<Self, ConversionError>

impl TryFromVal<Env, PriceResult> for Val

type Error = ConversionError

fn try_from_val(env: &Env, val: &PriceResult) -> Result<Self, ConversionError>

impl TryFromVal<Env, Val> for PriceResult

type Error = ConversionError

fn try_from_val(env: &Env, val: &Val) -> Result<Self, ConversionError>

impl Eq for PriceResult

impl StructuralPartialEq for PriceResult